How does GDPR affect me and my business?
The regulations are getting tighter and the fines are getting larger. As of 25th May 2018 all companies must adhere to not only the new double opt-in regulation but must provide records to your local data protection authority that confirm who has agreed to what and when. But remember this isn’t just storing information correctly but encryption, deletion, quarantine and notification.
Overall, basic knowledge about the GDPR is on the rise. As we should expect, the GDPR adopted the regulation back in April 2016. Four in five of the companies surveyed* (81%) had at least heard about the impending regulations. But is that enough? It’s less than a year until the regulation takes effect and just over 50% of these same companies can give a correct summary of the regulation. An even smaller percentage of business’ have budgeted for the extra resources needed to become legally compliant with the GDPR.
As far as the GDPR are concerned there are two categories that organisations fall into: Sole traders and partnerships aka specialist service individuals and self-employed individuals, and all other types of organisations. So, the regulations will affect any organisation which has 250+ employees. However, as Bernard Marr states in his article concerning the matter “a business must still comply if it’s involved in regular “processing” of certain categories of personal data. These categories include health data, information on individuals’ racial or ethnic origin, political affiliations, religious beliefs, genetic and biometric data and sexual orientation.” If you don’t comply you could potentially receive a €20 million fine or surrender 4% of your global annual turnover, whichever it the greatest.
The Domino effect of GDPR
Leaving this regulation to the last minute could prove detrimental to small companies and major corporations alike. Simon Moss, head of marketing at automation software provider Communigator puts it in black and white for us “So irrespective of whether you are based in the EU or not, or have an ESP in the EU, if you want to process the data of EU citizens you will need to be GDPR compliant”. Simple, right?
Referencing an interview concerning global distribution compliance David Jones, senior vice president of the Security and Information Governance Business Unit at Hewlett Packard Enterprise, states that regulation regimes are largely US dominated but this is changing. GDPR is specific to the EU although it applies to anyone who is doing business in the European Union. Essentially because other companies outside the EU are targeting the european market they will be affected. But Jones seems to only put emphasis on just “taking reasonable steps” to follow this new regulation. Are the US just aiming for a gold star for effort? Of course you can’t twist the words of one senior vice president of Hewlett Packard but reading through comments left on articles about GDPR a few concerned Brits are asking the same questions. “What does this mean for american corporations doing business with EU data?” “If an American corporation refuses to pay the fine, will they really be expected to show up at an EU tribunal?” “Who will come and arrest them, and what authority will they claim that could withstand a challenge in a U.S court of law?” But what about Britain’s efforts to become compliant? Well the UK has signalled that regarding GDPR regulations they will be transferred to UK law to “provide continuing legal certainty for citizens and businesses”. In essence the new regulations will not be affected by Brexit. Phew.
If any of the topics that we’ve touched on in this post concern you or your business or even if you have any questions that you’d like to ask our team please feel free to contact us